How an Alabama CU helped stop a four-state card-skimming spree

Gadsden, Ala.-based Family Savings Credit Union is being credited with helping catch crooks who made off with more than $43,000 skimmed from debit card holders in four states.

According to the Alabama attorney general’s office, authorities in early May arrested one suspect and issued an additional arrest warrant in connection with a debit-card skimming operation that impacted seven financial institutions and more than 300 consumers in Alabama, Georgia, Mississippi and Colorado who were believed to have been victims of the skimmers.

Police became aware of the crime in mid-April when – with the help of Family Savings CU – the Southside Police Department uncovered a possible skimmer at a local gas station. Surveillance video led agents to obtain the license plate number of the suspects’ car and tracked them back to Macon.

Macon, Ga. resident Janique Shontie Crafter, age 29, was subsequently arrested and charged with financial transaction card fraud forgery and financial identity fraud. She also faces charges for theft of property-first degree and identity theft in Etowah County, Alabama. A second suspect was identified as James Edward Faulks, II, age 37, of Macon. He remains at large.

“The debit card information that was skimmed in Southside was used to make illegal purchases in Vestavia Hills, Hoover, Pelham, Moody, Leeds and Oxford in Alabama, and Atlanta, LaGrange and Macon in Georgia,” Alabama Attorney General Steve Marshall said in a statement. “Had it not been for the vigilance of a local financial institution [FSCU] in discovering these suspicious transactions and in notifying law enforcement, this criminal activity might still be occurring.”

Paula Knowles, the fraud analyst at the $382 million-asset credit union who helped crack the case, told Credit Union Journal her office received calls from members and later from its call center alerting them of several “strange high-dollar transactions” with several members at various locations.

“We worked together and determined what we believed to be the common point-of-purchase,” she said. “I immediately notified the police department where the merchant is and explained the situation to them.”

Then, she said, by using a fraud-detection and anti-money laundering software, FSCU was able focus in on a specific time period, during which 296 cards were potentially impacted.

“Hard work and attentiveness from my staff… allowed me to even know where to start,” Knowles said. “We all worked together to research the accounts to verify that common point-of-purchase and went from there.” She notified law enforcement immediately because this was “more than a coincidence.”

Immediately thereafter, Knowles made the decision to reissue all those cards to prevent any further fraud. “Out of the 296 cards, we as a credit union only had around 18 victims,” she noted. “They have all been reimbursed for their loss so far.”

The fraudsters, Knowles explained, were basically cloning debit cards and using them to buy gift cards at Publix, Walmart and Kroger, among other stores. “The cloned card allowed them to copy not only the card number but the pin number as well. All these transactions were clearing as point-of-sale transactions, which is why most of them slipped through the fraud center.”

How big is the problem?Last April, FICO Card Alert Service reported that the number of ATMs in the US compromised by criminals rose by a whopping 546 percent in 2015 over 2014.

“Criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014,” FICO added.

According to David N. Tente, executive director of the ATM Industry Association, skimming remains the “number one fraud issue” at ATMs and it is getting more sophisticated. “We are seeing more use of Bluetooth and deep-insert skimmers,” he added.

And the United States continues to see “a very strong increase in skimming” along with the rest of North and Central America, noted Nick Billett, senior director of Global Research & Development and head of ATM security at Diebold Nixdorf.

Skimming attacks, Billett indicated, are “pervasive” in the U.S.

Nick Billett, senior director of Global Research & Development and head of ATM security at Diebold Nixdorf

“Attackers are now targeting internal card-reader vulnerabilities using mass-market, low-power miniaturized skimmers,” he said. “Internal skimmers are very difficult to detect and can be left in the ATM for long periods of time.”

Detect and preventionCan these kinds of financial crimes be detected or even prevented?

Tente of ATMIA thinks the best defense is to deploy good anti-skimming counter-measures. “Monitoring systems that can detect tell-tale signs of skimming or counterfeit card use are also helpful,” he added.

David N. Tente, executive director at the ATM Industry Association

But Knowles of FSCU is not certain there is any effective way to stop this kind of fraud, citing that the Alabama gas station case the credit union helped crack was probably a “one-in-a-million” case.

“I have software that allows me to cross-reference accounts, track card use and fraud alerts,” she noted. “Knowing what I was looking for made this so much easier. [But] I am not sure if there is a way to prevent this type of fraud other than some type of penalty for gas stations/convenience stores who do not check their pumps regularly. We have no control over that.”

Can EMV help?Much attention has been focused upon EMV as the future of fighting such fraud, but source say even that is not necessarily a cure-all for a very complex problem.

Tente cautioned that so long as there is also a magnetic stripe on the card, “this problem will not go away.”

Billett added that once all fallback magnetic stripe transaction support is removed from the systems, “then the US should see a drop [in ATM fraud] similar to what was experienced in Europe.”

For its part, FSCU fully implemented chip cards on April 1, with Knowles noting that the credit union “opted not to do a mass reissue, only to reissue upon expiration. The chip cards will alleviate fraud until the fraudsters determine a way to beat that security measure. It will happen.”

In the meantime, Knowles said her next project will be to petition for some type of legislation requiring business owners to be trained on how to detect card fraud and then holding them responsible if they are not monitored daily, weekly or monthly.

“This type of crime occurs every day and [fraudsters] are becoming more sophisticated,” she warned. “These criminals are very tech savvy and most likely well-educated. “